Skip to content

Limit phishing_blue_button_links to anchors that actually have a link#4817

Open
thunderkatz wants to merge 4 commits into
mainfrom
jkatzman/phishing-blue-button-links-first-filter
Open

Limit phishing_blue_button_links to anchors that actually have a link#4817
thunderkatz wants to merge 4 commits into
mainfrom
jkatzman/phishing-blue-button-links-first-filter

Conversation

@thunderkatz

@thunderkatz thunderkatz commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Description

If the anchor's href is to something like "#", there's no point in evaluating its style. Move the faster filters first.

Associated samples

n/a

Associated hunts

https://platform.sublime.security/hunts/019f3cd1-39e4-7254-bd45-22d6bae942ec
Found 7 message groups:

  • One had href="#" and was still flagged by a medium severity rule
  • All others had href="" surrounding no text, and were still flagged by multiple high severity rules

Screenshot (insights)

n/a

Dashboards point at regex.icontains(.raw, ...) as the cost driver on
content-heavy anchors. filter() ran that regex against every matched anchor
unconditionally; folding the check into a single AND chain inside any(),
ordered cheapest-first, lets short-circuiting skip the regex whenever an
anchor has no parseable link at all (href="#", tel:, mailto:, cid:, etc.
never produce a .links entry) or its link is already excluded by domain.
@github-actions github-actions Bot added the review-needed Indicates that a PR is waiting for review label Jul 7, 2026
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Shared Samples Sync - Action Required

This PR was not automatically synced to shared-samples because the author is not a member of the sublime-security organization.

To enable syncing, an organization member can comment /update-shared-samples on this PR.

Once triggered, the rules will be synced on the next scheduled run (every 10 minutes).

@thunderkatz thunderkatz marked this pull request as ready for review July 7, 2026 14:19
@thunderkatz thunderkatz requested a review from a team July 7, 2026 14:19
@thunderkatz thunderkatz requested a review from a team as a code owner July 7, 2026 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant